How to Avoid Phishing: Practical 2026 Guide for Businesses

Phishing in 2026 remains the most-used entry door in cybersecurity incidents. The Verizon Data Breach Investigations Report 2024 places it as the initial vector in a very high proportion of breaches with a human element (around 68-74% depending on the cut). Knowing how to avoid phishing combines three planes: signs to recognise, technical measures the security team deploys and processes the organisation trains. This guide covers what actually works: operational signals to identify a suspicious email, technical defences (MFA, DMARC, email filters with sandboxing, EDR), the response plan if someone fell for one and the mistakes that render an awareness campaign ineffective. Designed for users and security leaders in SMEs and midmarket.

If you're after the full landscape of variants (spear phishing, whaling, smishing, vishing, BEC), it's in types of phishing. Here we go straight to how to avoid it.

What phishing is in 30 seconds

Phishing is a social engineering attack where an attacker impersonates a legitimate entity (bank, supplier, boss, platform) so the victim reveals credentials, executes a malicious file, authorises an operation or clicks a link that gives the attacker what they need. It typically arrives by email, but also by SMS (smishing), calls (vishing), messaging (WhatsApp, Teams, Slack) and social networks.

The attacker's goal isn't always direct money: very often they're after a valid corporate account to use as a pivot toward bigger attacks (ransomware, CEO fraud, exfiltration).

10 signs to recognise a phishing email

The signs that appear in any serious training aren't absolute tricks, but hitting half of them already eliminates almost all false positives.

1. Unexpected or dissonant sender. A supplier you don't work with, a bank that isn't yours, a service that never writes to you.
2. From address different from the displayed name. The name says "Microsoft Support", the actual address is support@account-microsoft-secure.com. Always look at the address, not the name.
3. Domains that look similar but aren't identical. m1crosoft.com, paypa1.com, secra.es.security-update.net. The trick of substituting letters in the domain or using long subdomains is one of the most exploited.
4. Artificial urgency. "Your account will be blocked in 24h", "Last chance", "Immediate action required". Urgency neutralises critical thinking; that's why the attacker forces it.
5. Request for credentials or sensitive data. Legitimate services don't ask for passwords by email, almost never for an ID number, never for MFA codes.
6. Links that point to destinations different from the visible text. Hover over without clicking: if the real destination (bottom corner of the browser or mail client) doesn't match what the link shows, suspect.
7. Unexpected attachments. ZIP, ISO, IMG, compressed files with unusual extensions or documents that ask to "enable macros" or "enable content". Classic vector of Emotet and its successors.
8. Odd language. Severe spelling mistakes, strange tone, badly assembled sentences, language mix. Generative AI has reduced this in frequency, but it still appears in lower-tier campaigns.
9. Generic greeting. "Dear customer". Serious services usually personalise.
10. Mismatch with your real activity. An invoice for something you didn't buy, a delivery you weren't expecting, a password reset you didn't request. The most effective thing against targeted phishing is knowing your own normal.

One suspicious point doesn't make an email phishing; three or four together do. The decisive thing is to stop and verify by alternative channel before acting.

Technical measures: what should be in place at a company

Human awareness is half the job. The other half is technical and depends on the security and IT team.

MFA on every account

It's the measure with the best cost/impact ratio of the whole list. A phishing email that captures username and password loses immediate value if the account requires a second factor. Worth combining:

• Strong MFA (authenticator apps, passkeys, FIDO2 keys) on privileged accounts.
• Standard MFA (authenticator apps or SMS as minimum, although SMS is weak) on all the rest.
• Conditional Access or equivalents that add context controls (location, device, risk).

SMS MFA blocks most opportunistic attackers but doesn't protect against SIM swapping or modern adversary in the middle. On accounts for executives, finance, cloud administration and critical services, strong MFA is non-negotiable.

Properly configured DMARC, DKIM and SPF

These three protocols are the domain-level defence preventing an attacker from sending emails impersonating your domain or you receiving impersonations from properly configured domains.

• SPF: declares which servers can send mail on your behalf.
• DKIM: signs outgoing emails with a public key published in DNS.
• DMARC: policy on what to do when an email fails SPF/DKIM (p=none, p=quarantine, p=reject).

The objective configuration is DMARC in p=reject with correct SPF and DKIM for every service sending mail on your behalf (Microsoft 365, Google Workspace, marketing platforms, CRM, support tools). Without this, an attacker can send emails from@yourdomain.com with near-total credibility.

Email filter with sandboxing

Microsoft 365 or Google Workspace native filter blocks the bulk of mass campaigns. For more solid defence, worth:

• Attachment sandboxing: detonate files in an isolated environment before delivering them to the inbox.
• URL rewriting: change links to validate them at click time, not delivery time (attackers activate the malicious domain right after sending).
• Impostor detection: rules detecting sender impersonation (display name spoofing, similar domains, typosquatting).

Usual solutions: Microsoft Defender for Office 365, Google Workspace with add-ons, Proofpoint, Mimecast, Avanan, Abnormal Security.

EDR / XDR on endpoints

If the malicious email arrives and the victim opens the attachment, EDR is the last technical chance before compromise. Behavioural detection blocks suspicious executions, isolates the endpoint and notifies the SOC. Without EDR, a malicious macro runs unopposed.

Web filtering and protected DNS

Filters that block suspicious domains at click time. They have two benefits: they stop the user who already clicked and reduce noise to the SOC. Usual solutions: Cisco Umbrella, Cloudflare Gateway, Zscaler, Microsoft Defender for Cloud Apps, native M365 and Google Workspace controls.

Credential detection in infostealers and leaks

Corporate credentials leaked by infostealers end up in underground markets and get used for credential stuffing and targeted phishing. Threat intelligence platforms alert when corporate emails appear in recent leaks and allow proactive reset.

Training and simulations: the human factor

No technique replaces a trained team. And no isolated training works; what works are continuous programmes.

What does work

• Short, frequent sessions (15-30 minutes, monthly or quarterly) instead of an annual 4-hour workshop.
• Real cases from the sector and from the organisation itself, not generic examples.
• Periodic simulations of phishing with realistic scenarios and increasing difficulty.
• Constructive feedback, not punitive. Whoever clicks receives a training piece, not a scolding.
• Published metrics (click rate, report rate, mean report time) discussed in committee.

What barely contributes

• Posters on the wall and long mandatory videos without follow-up.
• Trivial simulations everyone detects: if the click rate is 1%, simulations aren't training anything new.
• Individual punishments for falling on hard simulations: it breaks the fast reporting culture, which is the most valuable part of the programme.

The realistic goal isn't zero click rate (impossible and expensive), but high report rate and low report time: when someone falls, the next identical email gets reported in minutes, not hours.

Response plan: what to do if you fell for phishing

Eight steps in strict order. The sooner they get executed, the less damage the incident causes.

1. Don't be embarrassed, report immediately. Fast reporting matters more than avoiding the click.
2. Change the affected password and any service sharing that password (a bad practice worth eradicating with a password manager).
3. Revoke active sessions of the compromised account. In Microsoft 365 and Google Workspace, the admin panel allows forcing global sign-out.
4. Verify MFA: if you activated it recently or the attacker could add their own second factor, review registered methods and remove unrecognised ones.
5. Isolate the machine if you downloaded an attachment or the website asked to execute something. Without shutting it down: powering off destroys volatile evidence, network isolation preserves it.
6. Notify the security team or the contracted MDR with the email details, click time, what got entered and from which device.
7. Review mailbox rules: attackers compromising accounts often create automatic forwarding rules to exfiltrate mail. Check and remove.
8. Review account activity logs in the last hours: logins from strange IPs, mass downloads, configuration changes, new OAuth authorisations.

In incidents with suspicion of real compromise, the next step is professional DFIR to reconstruct the scope.

Phishing variants worth recognising

Generic phishing is only part of the picture. Targeted variants are the ones causing the most damage:

• Spear phishing: aimed at a specific person or team with personalised information (name, role, context).
• Whaling: spear phishing aimed at executives. Usually combines with supplier or senior officer impersonation.
• BEC (Business Email Compromise): the attacker compromises or impersonates a senior officer's corporate email to authorise fraudulent transfers or accounting changes.
• Smishing: phishing by SMS. Very effective against less-trained users and against bank accounts.
• Vishing: phishing by voice call. Combined with prior target data (leaked or public), it has notable success rates.
• Quishing: phishing with malicious QR codes that take the user out of the email (where the filter doesn't detect).
• Adversary in the middle (AitM): the attacker interposes a login page that captures credentials and valid session cookies. Bypasses standard MFA. The most active technique in 2026 against Microsoft 365.

More detail per variant in types of phishing and in its close relative pharming.

Common mistakes in anti-phishing programmes

Patterns that reduce effectiveness even when there's budget:

1. Relying everything on training without technical measures. Awareness with weak MFA and no email filter lets through campaigns a technical control would have stopped.
2. Relying everything on technical measures without training. No filter detects 100%. The user remains the last shield.
3. Punishing the click. Reduces the report rate. The healthy culture is report fast without fear.
4. Low-quality simulations. If test emails are too obvious, they don't train; if they're too tricky, they frustrate. Difficulty rises progressively.
5. Not measuring human MTTR. The key indicator of a mature programme isn't how many click, but how long it takes someone to report the first click. If the first reports in 5 minutes, the SOC contains; if it takes 8 hours, it's already late.
6. Not applying DMARC in reject. It's the difference between your domain being spoofable or not.
7. Not reviewing third-party OAuth in Microsoft 365 and Google Workspace. Consent phishing (approving permissions to a malicious app) is a growing vector.

Frequently asked questions

How can I avoid phishing on my personal email?

Three measures cover most cases: enable MFA on all critical accounts (email, bank, social networks), use a password manager (unique passwords per service neutralise credential theft at one service), and don't click links in unexpected emails: if in doubt, go to the site by typing it yourself or use saved bookmarks. If urgency presses you, it's a red flag, not a commitment.

What do I have to do if I clicked a phishing link?

If you only clicked without entering data or downloading anything, risk is low (some sites load exploits, but an updated browser mitigates most). If you entered credentials, change the password immediately and, if it's a corporate account, notify the security team. If you downloaded a file, isolate the machine from the network without powering it off and report. Speed matters: the difference between containing a compromise or suffering a serious incident is measured in minutes.

Does MFA work to avoid phishing?

A lot, but it isn't invulnerable. SMS MFA blocks most mass attacks, but doesn't protect against SIM swapping or adversary in the middle (a growing technique in 2026). Authenticator apps with number matching improve the situation but can also fall to modern AitM kits. Passkeys and physical FIDO2 keys are today the only ones solidly resisting AitM and are the recommended option for privileged accounts, cloud administration and critical services.

How do I configure DMARC on my domain?

Three steps in order: configure SPF declaring authorised servers, configure DKIM signing outgoing mail with a key published in DNS, and publish the DMARC record starting in p=none (monitoring mode) with reports to your security team. After a few weeks analysing reports and fixing legitimate flows that don't sign, move to p=quarantine and finally to p=reject. Jumping to reject directly without prior monitoring can break legitimate mail.

How many phishing simulations per year should my company run?

The reasonable standard in mid-sized companies is a simulation every 4-6 weeks with different scenarios and increasing difficulty. Less frequency doesn't consolidate habits; more frequency generates fatigue. The metric that matters isn't click rate (that drops over time), but report rate and speed.

Is running phishing simulations on employees legal?

Yes, if it gets communicated within the general security framework (not in each simulation), declared in internal policy and in the GDPR notice, and the data gets handled with the declared purpose (training, not individual sanction). The works council, in organisations with representation, is usually informed. In practice, simulations are a standard tool in companies with a minimally mature security function.

What do I do with suspicious emails that aren't clearly phishing?

Report them to the security team with the "report phishing" button (Microsoft 365, Google Workspace and most filters have one). The SOC analyses, decides if it's real, blocks the sender and, if it's a targeted campaign, generates rules that protect the whole organisation. Each reported email improves the collective defence.

Related resources

• Types of phishing: full classification
• What is social engineering
• What is pharming
• Types of malware
• What is EDR
• What is a SOC

---

Avoiding phishing isn't just avoiding the click, it's building technical and human layers that reinforce each other. At Secra we design awareness and realistic simulation programmes with reporting metrics and continuous improvement, and we review the technical measures (DMARC, MFA, email filter, EDR) that close the loop. Tell us how your defence stands today and we'll see what's missing to raise the bar.